Microsoft scrambling to fix new Outlook security hole

(IDG) -- Microsoft Corp. is once again scrambling to fix a newly discovered vulnerability in its software that security experts warn is every bit as dangerous as one publicized earlier this week.

The latest hole involves Microsoft Outlook and Outlook Express e-mail clients. The buffer overrun vulnerability -- which initially was discovered by an Argentinian security firm -- allows crackers to launch an attack via the popular Internet e-mail software without victims having to do a thing to initiate it and infect their systems.

Users can work around the problem today, but only by doing a full-version ugrade of their Web browser software to either Internet Explorer 5.5 or Service Pack 1 of IE 5.01, Microsoft said. Windows 2000 users who have IE 5.5 will need to uninstall the software and re-install the IE 5.01 service pack, the company added.

Although Microsoft's advisory refers to the availability of a patch for the Outlook hole, no standalone patch that fixes it exists today, a Microsoft spokeswoman admitted. But the company is working on a patch that will eliminate the need for the full-version IE upgrade, she added.

"We are working on it as fast as humanly possible and we have every expectation that it will become available real soon, possibly even [Thursday]," the Microsoft spokeswoman said.

According to a Microsoft advisory, a cracker could exploit the vulnerability to send e-mail that when downloaded from a server would either crash Outlook or cause malicious code to be run on the victim's computer.

"Such code could take any action that the user was authorized to take on the machine, including reformatting the hard drive, communicating with an external Web site or changing data on the computer," the Microsoft advisory warned.

Because the Outlook vulnerability occurs when the mail is being downloaded from the server, recipients don't need to open the mail -- or even preview it -- for the vulnerability to be exploited, said Jesper Johansson, an assistant professor at Boston University and editor of the SANS Windows Security Digest.

"You are vulnerable simply by having Outlook or Outlook Express on your system," Johansson said. "I can send you an e-mail and it blows up your system."

Given the manner in which the vulnerability can be exploited, crackers don't have to be worried about users being alerted to an attack, said Russ Cooper, the Lindsay, Ontario-based editor of NTBugTraq, a popular security bulletin board. "I'm not worried about you not recognizing the sender, being suspicious of the subject line or seeing too many recipients" in the address line, Cooper said.

The ability of buffer overflows to bring systems down is nothing new and has been well understood for more than two decades, Johanssen said. A buffer stores data that has been input by a user in a storage area within a program's memory for further processing. An overrun occurs when the length of data that is sought to be stored exceeds the length of the available buffer.

Crackers can exploit unchecked buffers to invoke overflows and to overwrite the original program code with new executables. In the present instance, malicious attackers could exploit a similar unchecked buffer relating to Outlook and Outlook Explorer.

"Writing a buffer exploit is not the easiest thing in the world, but I've seen plenty of people do it," said Ryan Russell, manager of information systems at SecurityFocus.Com, a security portal in San Mateo, Calif. And once some working exploits are available, it becomes easy for other crackers to modify them for use in launching attacks, Russell added.

For example, code that exploits the Outlook hole already has begun circulating. A South American security firm called USSR has posted a sample exploit. The firm claims the sample will create and send an e-mail message that when downloaded by Outlook will automatically open the company's home page without the user doing anything at all.

The latest vulnerability impacts all users of Outlook Express and a very wide swath of Outlook users, Microsoft said. All Outlook users who use Post Office Protocol Version 3 (POP3) and Internet Mail Access Protocol Version 4 (IMAP4) to access their Internet mail are affected. Those who use only the Messaging Application Programming Interface (MAPI) -- most commonly seen in companies that use Microsoft Exchange as their e-mail server -- aren't impacted, according to Microsoft's advisory.

Security firm ICSA.Net, an affiliate of Gartner Group Inc. in Stamford, Conn., estimates that 50% of corporate Outlook users and nearly all home and small office Outlook users are affected by this vulnerability. That number collectively exceeds 100 million users, according to ICSA.Net.

News of the latest vulnerability comes as Microsoft also is trying to develop a permanent patch to fix an equally dangerous hole in Internet Explorer. That bug lets crackers embed malicious Visual Basic code into Microsoft's Access database management software via Internet Explorer. Microsoft last week issued a workaround to address the issue.